The following is just my opinion based on my experiences and readings. I am not an expert in anything, nor will I likely ever be one. My hope is that it might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.
Preamble
When I changed roles from a server administrator to a security specialist not too long ago, I knew I would
need to know more to be successful in my new role.
Requirements
I tend to have a bit of an attention problem (imagine Homer saying, “Look, a dog with a puffy tail”) and have a hard time focusing on just one thing. I blame it on years of being interrupted by clients while juggling dozens of projects. One way I have discovered to overcome this problem is to use a quest for certification to force me to focus.
I’m not going to get into the whole “is a paper really worth anything” discussion. A certification is just a certification. It does not make someone better then someone that doesn’t have one. I use the process of working towards certification as an opportunity to focus the quest for knowledge. Not knowledge of how to take the test, but knowledge of the skills the test is supposed to be measuring.
The CISSP track of isc2.org was recommended to me as a good way to get a quick dousing in some of the fundamental concepts in Information Security.
Background
There are ten domains that the CISSP exam focuses on. A few big themes became apparent while learning the ten domains for the CISSP.
CIA – Confidentiality, integrity and availability and how those relate to each domain
Executive buy in – if you don’t have support from the top, you are going to have very slow forward progress, if at all.
Everyone is a part of security.
You can not prevent security incidents, so you better be able to detect them.
Process
I picked up a couple of books to prepare on my own. I already held a Security+ certification and a number of years of real world experience in the realms of desktop, server and network security so it was fairly easy to become familiar with the concepts.
As luck would have it, a CISSP boot camp was being offered. I had never taken a bootcamp before, and say what you will about bootcamps and how they may be more focused on teaching you how to take the test then to actually learn, but for me, this was perfect way to stay focused on something for a week. The instructor was excellent and had great explanations for some of the concepts that were new to me.
The day after the bootcamp, we wrote the exam. As I went to hand it in, I thought I did pretty good. By the time I got back to the parking lot, I was less sure, but thinking maybe I could scrounge the 700 points needed to pass. By the next morning, I was sure that I had failed and was checking online to see where I could re-write.
The long wait
A week went by.
I received an email from isc2. My heart raced as I opened it. Doh! they were just soliciting feedback on the exam process.
Another next week went by.
Another email. This one looked more ominous. I broke into a cold sweat while clicking.
Conclusion
I have experience with a number of other testing/certification organizations. Some of my first certifications in the 90’s seemed ridiculous. The preparation tools and overall knowledge objectives that they state they are testing on are great, but quite often, the questions on the test somehow cheapened the whole experience. Fortunately I think exams have gotten better over time.
The CISSP exam was long and tiring, but the questions for the most part didn’t try to trick you with the dreaded “select the best answer”.
Becoming a CISSP did not make me an all knowing security expert. What it did do was introduce me to security concepts and paradigms and laid a strong foundation I could build upon.
I am still building…………
Next Steps
Sometime…once my wounds have healed, I will recount my quest for the Offensive Security Certified Professional. Now that’s a test!